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Abstract — A widespread design approach in distributed ap- 
plications based on the service-oriented paradigm, such as 
web-services, consists of clearly separating the enforcement of 
authorization policies and the workflow of the applications, so 
that the interplay between the policy level and the workflow 
level is abstracted away. While such an approach is attractive 
because it is quite simple and permits one to reason about crucial 
properties of the policies under consideration, it does not provide 
the right level of abstraction to specify and reason about the way 
the workflow may interfere with the policies, and vice versa. For 
example, the creation of a certificate as a side effect of a workflow 
operation may enable a policy rule to Are and grant access to a 
certain resource; without executing the operation, the policy rule 
should remain inactive. Similarly, policy queries may be used as 
guards for workflow transitions. 

In this paper, we present a two-level formal verification frame- 
work to overcome these problems and formally reason about 
the interplay of authorization policies and workflow in service- 
oriented architectures. This allows us to define and investigate 
some verification problems for SO applications and give sufficient 
conditions for their decidability. 

I. Introduction 

A widespread design approach in distributed applications 
based on the Service-Oriented paradigm (SO), such as web- 
services, consists of clearly separating the Workflow (WF) 
from the Policy Management (PM). The former orchestrates 
complex processing of data performed by the various princi- 
pals using a set of resources made available in the application, 
while the latter aims to regulate access decisions to the 
shared resources, based on policy statements made by the 
involved principals. This separation of concerns is beneficial in 
several respects for the design, maintenance, and verification 
of the resulting applications such as reusing policies across 
applications. 

One of the key problems in obtaining a correct design of 
SO applications is to be able to foresee all the — sometimes 
subtle — ways in which their WF and PM levels interact. 
To understand the difficulty underlying this endevor, let us 
first consider the WF level. In this respect, SO applications 
can be seen as distributed systems whose transitions can be 
interleaved in many possible ways. This already creates a first 
difficult problem: to understand the behaviors of an SO appli- 
cation and then to establish if it meets certain properties. An 
additional burden, typical to SO applications, is the presence 
of the PM level, which is supposed to constrain the allowed 



behaviors of the application so as to meet certain crucial 
security requirements. Declarative policy languages (such as 
Datalog and other languages built on top of it, like Binder 1 13 1, 
SecPal |6| and DKAL |16|), usually based on a (fragment 
of) first-order logic, are used to design the PM level of SO 
applications in a more flexible, reusable, and verification- 
friendly way. The high flexibility and expressiveness of such 
languages may grant access to a resource to someone who, in 
the intention of the policy designer, is not allowed to do so. 

To further complicate the situation, there are the subtle ways 
in which the WF and the PM levels may interact so as to 
give rise to behaviors that are unintended and may breach 
some crucial security requirements of an SO application. As 
a concrete example of this point, consider a system for virtual 
Program Committee meetings. A policy governing access to 
the reviews of a paper may be the following: a reviewer 
assigned to a paper is required to submit his own review before 
being able to read those of the others. So, in order to resolve an 
access request to the reviews of a paper, the system should be 
able not only to know the identities and the roles of the various 
members of the Program Committee but also to maintain and 
consult the information about which reviewers have already 
submitted their reviews. Indeed, information of the first kind 
must be derived from the WF level. 

Given all the difficulties to obtain correct designs for SO 
applications, formal methods have been advocated to help in 
this task. Unfortunately, most (see, e.g., 1141 . Il23l ) of the 
specification and verification techniques (with some notable 
exceptions, e.g., l20l ) have concentrated on one level at a 
time and abstracted away the possible interplays between the 
WF and the PM level. The first contribution of this paper 
is a framework capable of formalizing both the WF and the 
PM level as well as their interface so as to enable a more 
precise analysis of the possible behaviors of SO applications. 
In particular, we use a temporal extension of first-order logic, 
similarly to what has been proposed in ifTTl for the specifi- 
cation and verification of reactive systems. The motivations 
for this choice are three-fold. First, workflows can be easily 
specified by using first-order formulae to describe sets of states 
and transitions of SO applications. Second, a simple extension 
of this well-known framework allows us to easily specify 
policy-relevant facts and statements. Third, we hope to adapt 
and reuse to the case of SO applications the cornucopia of 



specification and verification techniques developed for reactive 
systems. As a first step in this direction, the second contribu- 
tion of this paper is to define and investigate some verification 
problems for SO applications and give sufficient conditions for 
their decidability. In particular, we show how executability and 
some security properties (which can be expressed as invariants) 
can be automatically verified within the proposed framework. 

We proceed as follows. In Section|ll] we summarize the key 
points of a restricted combination of first-order and temporal 
logic, which provides a formal basis for our approach. In 



Section III we present our formal two-level specification 



framework for SO applications, which we apply, in Section |rVj 
on a number of interesting verification problems for SO 
applications. In SectionJV] we discuss related and future work, 
and draw conclusions. Due to lack of space, proofs are given 
in the appendix, together with the detailed formalization of a 
case study that illustrates our framework at work, and with a 
number of useful pragmatical observations. 

II. A RESTRICTED COMBINATION OF FIRST-ORDER LOGIC 
AND TEMPORAL LOGIC 

As a formal basis for our approach we use a standard lUTll 
minimal extension of Linear Time Logic (LTL) with a many- 
sorted version of First-Order Logic with equality (FOL=). 
We recall now some useful definitions and properties of 
FOL= where, for brevity, we do not explicitly consider sorts 
although all notions can be easily adapted to the many-sorted 
version. We assume the usual first-order syntactic notions 
of signature, term, literal, formula, quantifier-free formula, 
substitution and grounding substitution, sort and so on, and 
call sentence a formula that does not contain free variables. 
Also the semantic notions of structure, satisfiability, validity, 
and logical consequence are the standard ones. 

Let S be a FOL= signature. An expression is a term, 
an atom, a literal, or a formula. A Y*{x)-expression is an 
expression built out of the symbols in £ where at most the 
variables in the sequence x of variables may occur free, and 
we write E(x) to emphasize that E is a S(x)-expression. 
Similarly, for a finite sequence r of predicate symbols in S, we 
write cf>(r) to denote a E-formula where at most the predicate 
symbols in r may occur. We juxtapose sequences to denote 
their concatenation, e.g. xy, and abuse notation and write 
to denote the empty sequence besides the empty set. If a is 
a substitution and t is a (finite) sequence of expressions, then 
to is the sequence of expressions obtained from t by applying 
the substitution o to each element of t. 

Following [17 1, we use a tuple x of variables, called WF 
state variables, to represent the values of application variables 
at a given instant of time, and use a FOL formula ip(x) to 
represent sets of states. WF state variables take values in the 
domain of a first-order structure, which formalizes the data 
structures, the values of the control locations, and those of 
the auxiliary variables of the WF of a certain SO application. 
Formally, let X be a signature (containing, e.g., the operators of 
certain data structures or the names of some control locations) 
and M. be a S-structure; A4,v |= <p(x) means that the state 



formula (p(x) is true in M. for the valuation v mapping the 
variables in x to elements of the domain of M.. As shown 
in ifTTl . this is enough for the specification of virtually any 
reactive system and hence also for the WF level. However, 
the state of SO applications should also support the PM level 
whose relevant part is represented by tables where certain 
facts are recorded (e.g., "is-reviewer-of" for the example in 
the introduction). Following the relational model of databases, 
we formalize tables as predicates and we add to the WF state 
variables a set p of fresh predicate symbols (i.e. p n £ = 0), 
called PM state variables. Any E-formula <p(x,p) is an SO 
state formula. For a S-structure M. = (I, D), a valuation v 
mapping the WF state variables in x to elements of the domain 
D, and a relational valuation b mapping the PM state variables 
in p (such that p n £ — 0) to the powerset of D, we write 

M,v,b \= <p(x,p) 

to denote that A4b,v \= <p(x,p) where M.\, = (I',D') is 
the (S U p)-structure obtained from M. by taking D' = D, 
= /, and I' (p) = b(p) for each p 6 p. The tuple ( M. ,v,b) 
(or simply v, b, when M. is clear from context) is an SO state. 

Let £ be a signature and M. be a S-structure. We formalize 
an SO application by a tuple (x,p,L,Tr), called an SO 
transition system, where x are the WF state variables, p are 
the PM state variables, t is a £(ir,p) -formula, and Tr is a 
finite set of £(x, p, x' , p') -formulae, called transitions, which 
relate a set of SO states (identified by the "values" of x,p) to 
that of a set of SO "next" states (identified by the "values" of 
:r',f>')F]lf P — an d x 0, then our notion of SO transition 
system reduces to that of transition system in lfI7r . in the rest 
of this paper, we assume that p 0. 

A run of an SO transition system (x,p,L, Tr) is an in- 
finite sequence of SO states Vq, bo, Vi, bi, ... such that 
A4,vo,bo \= i(x,p) and for every i > 0, there exists a 
transition r (x, p, x', p') G Tr such that Ai, Vi, bi, fj+i, |= 
t(x,P,x' ,p') where Vi,bi (respectively, t>i+i,6i+i) map state 
variables and predicates in x,p (respectively, x' ,p'). 

To specify properties of SO transition systems, we use an 
extension of Linear Time Logic. Formally, let x, p be SO state 
variables and E be a signature; the set LTL(Y.,x,p) of LTL 
( state-based) formulae for £ and x, p is inductively defined 
as follows: state formulae are in LTL(Y,,x,p) and if ip is 
a state formula then D(p is in LTL(E, x, p)|^J Note that we 
prohibit alternation of FOL quantifiers and temporal operators: 
this makes the logic less expressive but it helps to derive 
decidability results for the satisfiability problem, which is a 
necessary condition to develop (semi-)automatic verification 
methods for SO applications. 

Let M. be a E-structure. A model of an LTL(T,,x,p)- 
formula is an infinite sequence Vq, bo, Uj, bi, ... of SO states 

'We ignore fairness assumptions as, for simplicity in this paper, we are 
only concerned with security properties that can be encoded as a sub-class of 
safety properties. 

2 The minimalist temporal logic defined here suffices for the purposes of 
specifying the sub-class of invariant properties that are relevant for this paper. 
However, the proposed framework may be easily extended to support other 
temporal operators such as "sometimes in the future," "next", or "until." 
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such that each Vi , 6, map all the SO state variables in x, p, for 
i > 0. We then say that an LTL(E,£,p)-formula ip(x,p) is 
true in a model vo,bo, ...,Vi,bi, and write 



M,v ,b ,...,Vi,bi,... \= ip(x,p). 



iff 



• Ai,vo,bo \= if whenever (p(x,p) is a state formula; 

. M,v ,bo,..;Vi,bi,... |= D(p(x,p) iff M,v k ,b k \= 
<p(x,p), for every k > 0. 

Let 5 = (x,p,L, Tr) be an SO transition system, M. be 
a E-structure, and (p(x,p) be an LTL(T,,x,p) -formula. Then, 
5 |= (p(x,p) iff M,v ,b Q , ...,Vi,bi, ... \= <p(x,p) for every run 
vo,bo, ...,Vi,bi, ... of S. A state formula ij){x,p) is an invariant 
for the SO transition system S if S \= Oip(x,p). 



III. A FORMAL TWO-LEVEL SPECIFICATION FRAMEWORK 
FOR SO APPLICATIONS 

Recall that one of the main goals of this paper is to 
provide a natural specification framework for SO applications 
whose architecture is organized in two levels. Indeed, it 
is possible to model a large class of SO applications by 
using the notion of SO transition system introduced in the 
previous section. However, a good framework should provide 
an adequate support to restrict the design space for a two-level 
SO application and allow the designer to easily specify the WF 
level, the PM level, and their interface in isolation according to 
a divide-and-conquer strategy. In our framework, this consists 
of identifying suitable first-order structures formalizing both 
the data structures at the WF level and the tables at the PM 
level. Unfortunately, working with first-order structures for 
specification is quite difficult since there is no obvious way 
to mechanically represent and reason about them. Fortunately, 
first-order theories are sets of FOL= sentences that can be used 
as reasonably precise approximations of first-order structures 
and for which there is automated reasoning support. Hence, we 
decided to use theories to describe the WF, the PM levels, and 
their interface, as illustrated in Fig.[T] if Twf and Tpu are the 
theories formalizing the WF and the PM levels, respectively, 
then their intersection T sn {, = Ty/pC\TpM, called the substrate 
theory, formalizes their interface. 

Intuitively, the theory T su b ensures that the WF and PM 
levels "agree" on certain notions. For example, T su j, univocally 
identifies the principals involved in the SO application and 
possibly (an abstraction of) the structure of the resources that 
the SO application can access or make available. As we will 
see, the use of theories allows us to easily import declarative 
policy specifications expressed in logical languages based on 
(extensions of) Datalog in our framework. 

A similar approach can also be used to restrict the formulae 
characterizing transitions. Intuitively, the transitions that can 
be specified by formulae in the identified class are such that 
the updates on the values of both the WF and the PM state 
variables are functional (if we regard relations as first-order 
objects). Since the identities of the principals involved in the 
SO application being specified play a crucial role in enabling 
or disabling the possibility to execute a certain transition, the 
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Fig. 1 . FOL formalization of the WF and PM levels of SO applications 



functional updates will depend not only on the values of the 
actual SO state but also on the existence of certain principals. 

Before being able to formalize these intuitions, we recall the 
concept of FOL= theory and some standard related notions. 

A. First-order theories for SO applications 

A H-theory T is a set of first-order E-sentences, called the 
axioms of T. A E-structure A4 is a model of the E-theory 
T iff all the sentences in T are true in M.. A E-theory T is 
consistent if it admits at least one model. The T -satisfiability 
problem for a quantifier-free E-formula ip(x_,p) (such that p f~l 
E = 0) consists of checking whether there exists a model M. 
of T and mappings v and b such that A4,v,b \= <p(x,p). By 
transformation in disjunctive normal form (i.e. as disjunctions 
of conjunctions of literals), the T-satisfiability problem for 
quantifier-free formulae can be reduced to the T-satisfiability 
problem for (quantifier-free) conjunctions of literals. 

For specifying SO applications, we usually need to intro- 
duce a finite set of unique identifiers to name the various 
principals. Formally, this can be done by using a theory of the 
following kind. An enumerated data-type theory EDT(C, S) 
is axiomatized by the sentences 
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and 
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for S a sort symbol in the given signature (omitted for 
simplicity) and C — {c\, c„}, Cj of sort S for i = 1, . . . ,n 
and n > 1. It is easy to see that the EDT(C, S')-satisfiability 
problem is decidable. Enumerated data- type theories will be 
sub-theories of the theory formalizing the interface between 
the WF and PM levels. 

For the WF level, we can reuse all the theories available 
in the literature formalizing data structures and the decision 
procedures for their satisfiability problem (see, e.g., IF2T1 for an 
overview). Enumerated data-type theories are also useful for 
the WF level as they can formalize the (finitely many) control 
locations of an application. We now give a concrete example 
of a theory capable of formalizing a simple message passing 
network that is relevant for SO applications (see Appendix [B] 
for a more detailed case study). 

Example 1 (Message passing): A net can be seen abstractly 
as a set of messages: sending a message amounts to adding 
the message to the set while receiving a message consists of 
checking if it is a member of the net; hence, messages are 
never deleted, only added to the set representing the net. This 
view is simple but still allows one to model interesting facts 
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such as the reception of messages in any order (since a set 
does not require an ordering on its elements) or duplication 
of messages (as a message is never removed from the net). 

To model the simple fragment of set theory necessary to 
formalize this idea in FOL, we use a theory MsgPass[Msg], 
parametrized over the sort Msg of messages which contains 
SetOfMsg as the sort for sets of messages, the constant mty 
of sort SetOfMsg denoting the empty set, the binary function 
symbol ins of sort Msg x SetOfMsg — ► SetOfMsg denoting 
the operation of adding a message to a set of messages, and 
the binary predicate symbol mem of sort Msg x SetOfMsg 
for checking if a message is in a set of messages. The axioms 
of MsgPass [Msg] are the following three sentences: 

VE. -nmem(E, mty) VE. mem(E, \ns(E, S)) 
VE, E'. E^E' -> (mem(£, ms(E' , S)) <-> mem(£, S)) 

where E, E' are variables of sort Msg and S is a variable of 
sort SetOfMsg. It is easy to describe the states of a variable 
net: just introduce a logical variable net and use suitable 
formulae from the theory MsgPass[Msg]. For example, the 
formula 3mi, m 2 : Msg, net' : SetOfMsg. mi ^ m 2 A 
net = ins(mi, ins(w2, net')) constrains net to contain at 
least two messages (plus possibly others). Note that the only 
free variable in the formulae describing sets of states is net. 
The MsgPass[Msg] -satisfiability problem is decidable JT]. ■ 
For the PM level, we recall the class of Bernays-Schonfikel- 
Ramsey (BSR) sentences 0, which has been used, among 
other applications, to model relational databases. A BSR- 
theory is a set of sentences of the form 

3xVy.ip(x, y), 

where x and y are tuples of variables and tp is a quantifier- 
free formula containing only predicate and constant symbols 
(or, equivalently, no function symbols of arity greater than or 
equal to 1). The decidability of the satisfiability problem for 
any BSR-theory is a well-known decidability result [9|. 

The following sub-class of BSR-theories can be used to 
specify policies as shown in, e.g., [18|. A Datalog-theory is a 
BSR-theory whose sentences are of the form 



Vx,y.qi(x,y) A ■ ■ ■ A q n (x,y) -> p(x) 



(1) 



where p,qi, for i — l,...,n, are predicate symbols, and x, y 
are disjoint tuples of variables such that the length of x is 
equal to the arity of p. Usually, sentences of the form ([1} are 
written as 

yx,y.p(x) <- qi(x,y) A ■ ■ ■ Aq n (x,y) , 

where <— can be read as the reverse of the implication 
connective (sometimes also the universal quantifiers will be 
dropped). Formulae written in this way are called rules in the 
literature, while their hypotheses and p(x) are called the body 
and the head of the rule, respectively. 

We conclude by recalling some notions that are relevant for 
the combination of theories that provide us with the formal 
tools to separately specify the WF and PM levels of an 



SO application and then modularly combine them. Let Ti 
and T2 be two theories; we say that they share the theory 
T = Tt n T 2 if T ^ and their combination T x U T 2 is 
non-disjoint. Otherwise (i.e. when Tq — 0), we say that the 
combination T1UT2 is disjoint. For verification, it is important 
to combine decision procedures for each theory 1\ and T 2 so 
as to obtain a decision procedure for their combination. This is 
crucial to derive decidability results for verification problems 
of SO applications as we will reduce them to satisfiability 
problems in the combination of the theories formalizing the 
WF and the PM levels. A class of theories that will be 
relevant in this task (see Lemma [2] below) is the following. 
A theory T is stably infinite if a T-satisfiable quantifier-free 
formula is satisfiable in a model of T whose domain has 
infinite cardinality. Examples of stably infinite theories are 
MsgPass [Msg] of Example[T[ any BSR theory (see, e.g., 1221 1. 
and many theories formalizing data structures, such as arrays 
or sets. Enumerated data-type theories are not stably infinite as 
they admit only models whose domains have finite cardinality. 

B. Two-level SO transition systems 

We are now ready to define an instance of the framework 
of Section |ll] to formally specify SO applications designed 
according to the two-level architectures considered in this 
paper. This framework relies on the following assumptions. 

Framework assumption 1: As depicted in Fig. [T[ we as- 
sume that the WF and PM levels are formalized by a Evkf- 
theory Ty/p and a (Y^pm Up) -theory Tpm, which share a £ SU 6- 
theory T su i,, called the substrate. Formally, S sn 6 C Y,y/p and 
^sub ^ £p.M, an d T 3U b C Ty/p and T su {, C Tpm- ■ 

The shared theory T au & plays the role of interface between 
the two levels. A minimal requirement on the interface is to 
provide some knowledge about the identities of the principals 
involved in the SO application. This is formalized as follows. 

Framework assumption 2: S su {, contains the sort symbol 
Id. M 

This last assumption is crucial for many aspects of SO 
applications related to PM, such as integrity (of messages 
or certificates), authenticity (of certificates), and proof-of- 
compliance (of credentials). 

Using the notion of combination of theories introduced at 



the end of Section III-A we are now able to define the concept 
of background theory for an SO application that is obtained 
by modularly combining the theories formalizing the WF and 
the PM levels. Let T su b,Ty/F, and Tpm be consistent theories 
satisfying Framework assumptions [T] and [2] The background 
£ soA-theory Tsoa is the union of the theories Ty/p and Tpm, 
i-e. Y S oa := Sh/f U S PM and T S oa ■= T WF U T PM . Note 
that, by Robinson consistency theorem (see, e.g., |[T2l ). Tsoa 
is consistent since both Ty/p and Tpm are assumed to be so. 
We will sometimes refer to Ty/p as the WF background theory 
and to Tpm as the PM background theory. 

We introduce a particular class of SO transition systems 
(defined in Section [TTJ> by using background theories obtained 
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by combining theories for the WF and PM levels satisfying 
the two framework assumptions above. A technical problem in 
doing this is the following. SO transition systems (in particular 
their states and runs) are defined with respect to a certain 
first-order structure. Instead, we want to use theories that, in 
general, identify classes of first-order structures and not just 
one particular structure. However, since the verification prob- 
lems for SO applications considered below will be reduced 
to satisfiability problems, the following notion tells us that — 
under suitable conditions — we can use theories in place of 
structures. A S-theory T is adequate for a S-structure M. if 
A4,v \= <p(x), for some valuation v mapping the variables 
in x to elements of the domain of M., is equivalent to the 
T-satisfiability of <p{x), for any quantifier-free formula (p(x). 
For example, it is possible to see that enumerated data-type 
theories are adequate for any of their models (as they are all 
isomorphic) or that the theory MsgPass[Msg] is adequate to 
the structure containing finite sets of messages. 

As notation, let us write \/z.p(z) <-» i-PAi(i,P, z) (respec- 
tively, Vz. p'(z) <-> (p(i,p,z)) to abbreviate the finite conjunc- 
tion, for j = 1, n, of formulae of the form Vz„- . Pj (za ) <-> 
l.j (i, p, Zj ) (respectively, Vz^ . p 3 (Zj ) <-> <fj (i, p, z } )) when p = 
Pi,... ,p n , ipm = i>\, ■ ■ ■ , t<n (respectively, (p = ip 1 ,..., ip n ), 
Zj C z, and the length of Zj is equal to the arity of pj . 

Definition 1 (Two-level SO transition system): Let T su f,, 
Twf, and Tpm be consistent theories satisfying Framework 
assumptions [T] and [2] and M. be a E soa -structure. A two-level 
SO transition system ( with background theory TgoA adequate 
for M.) is an SO transition system (x,p, t, Tr) such that (a) 
p n T,goA — 0; (b) i is a state £5o^-f° rmu l a of the form: 

V|. (i WF (i,x) A Vz.p(z) <-> L PM (i,p,z)) , (2) 

where i is a finite sequence of variables of sort Id, lwf is a 
quantifier- free 'EvvfH, x) -formula, and lpm is a quantifier- 
free T,pm(z, i,p)- formula; and (c) Tr is a finite state of 
transition formula of the form 

3i,d. (G(i,d) A x' = f(x,i,d) A \/z. p'(z) «-> p(i,p,z)) , (3) 

called guarded assignment transition, where i is a tuple of 
variables of sort Id; d,z are sets of variables of a sort 
dependent on the WF and PM levels of the application; G 
is a quantifier-free formula, called the guard of the transition; 
/ is a tuple of "Ewp(x, £)-terms, called the WF updates of the 
transition, whose sorts are pairwise equal to those of the state 
variables in x; and tp is a tuple of quantifier-free ~EpM(i,p, z)- 
formulae, called the PM updates of the transition. ■ 
If x = (recall that we have assumed that p ^ for SO 
transition systems, cf. Section TO, then we say that the SO 
application is (purely) relational. Intuitively, the form (|2]i for 
the initial state formula is inspired by the observation that 
usually the principals at the beginning of the computation 
have some common (or no) knowledge about the facts that are 
relevant to the PM level. Note that / and ip may not contain 
the state variables in x' and the state predicates in p' , i.e. 
updates are not recursive. 



Below, for simplicity, we will no more mention the 
structure M. and implicitly assume that Tsoa is adequate for 
M.. To help intuition, we illustrate the notion of two-level SO 
transition system by means of a simple example (extracted 
from the case study in the appendix). 

Example 2: Consider a situation where the clerks of an 
office may send messages over a network. The messages may 
contain, among many other things, certificates about their 
identities, roles, or capability to access certain resources in 
the organization they belong to. Certificates about the identities 
and roles are issued by a trusted certification authority while 
those about the access to a certain resource are issued by heads 
(who are clerks with this special right). In order to comply 
with the policies of accessing resources, each clerk maintains 
a table about his/her identity, role, and access capability as well 
as about other clerks. We describe a two-level SO transition 
system to formalize this situation. 

First of all, we specify the WF background theory: 

T sub := EDT({Ed, Helen, RegOffCA, Res}, Id) U 

i?-DT({employee. head}, Role) 
T WF := T sub U MsgPass[Msg] U Msg U Cert 

where Ed and Helen are two clerks, RegOffCA is the trusted 
certification authority, Res is a shared resource (e.g., a reposi- 
tory), employee and head are the possible roles of clerks, and 
MsgPass [Msg] is the theory for message passing introduced 
in Example [T] In particular, Msg is a theory to describe 
the structure of messages as follows: a message contains a 
field identifying the sender, a field identifying the receiver, 
and a field carrying their contents. Formally, this is done 
by introducing two new sort symbols Body and the ternary 
function msg of sort Id x Body x Id — > Msg. Finally, 
Cert is a theory to provide functionalities to analyze the 
body of messages and extract some relevant information: 
the predicate cert_of_role of sort Body x Id x Role is 
capable of recognizing that the body of a message contains 
a certificate that its second argument is the identifier of a 
clerk whose role is that of its third argument. For example, 
if cert_Ed_empl is a constant of sort Body representing the 
certificate that the employee Ed has the role employee, then 
the message sent by RegOffCA to Helen containing the 
certificate cert Ed ernpl is encoded by the following term: 
msg(RegOff CA, cert_Ed_empl, Helen) and we will also have 
that, e.g., cert_of_role(cert_Ed_em pi, Ed, employee) holds. 

The state of the two-level SO transition system specifying 
the situation above should contain a WF state variable net 
of sort SetOfMsg (containing the set of messages exchanged 
during a run of the transition system) and a PM state variable 
hasrole of arity Id x Id x Role (storing the join of the tables 
of each clerk about their roles). The initial state of the system 
should specify that no message has been exchanged over the 
net and that no role is known to the various clerks. This can 
be formalized by a state formula as follows: 

net = mty A Vzi, Z2, r.hasrole(zi, z%, r) «-> false, 
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/ mem(msg(RegOf f CA, c, net) A cert_of_role(c, i 2 , employee) A net' = net A 

I Vzi, z 2 , d. hasrole' (zi, Z2, d) <-> ( if {z\ = i\ A z 2 = 12 A rf = employee) iften £rwe e/se hasrole^i, z 2 , d) ) 
where ii,i 2 ,z 1 , z 2 are variables of sort Id, c is a variable of sort Body, and d is a variable of sort i?o/e 

Fig. 2. A formalization of the interplay between WF and PM levels by a guarded assignment transition (cf. Example [2) 



which is a formula of the form (|2| by taking i = 0, z = 
{z\, Z2, r}, net £ x, and hasrole e p. 

As an example of interplay between the WF and PM levels, 
Fig. [2] shows the guarded assignment transition of the form 
Q that formalizes what happens when a message containing 
a certificate about the role of an employee (say, Ed) is sent to 
another employee (say, Helen) by the certification authority 
(RegOffCA). Note that the content of the state variable net 
is left unchanged by the transition, whose only effect is to 
update the access table (represented by the predicate hasrole) 
with the entry corresponding to the content of the received 
(role) certificate. For example, upon reception of the message 
containing the certificate certEdempI, the following fact 
hasrole'(Helen, Ed, employee) must hold in the next state, 
while for all the other triples, hasrole' has the same Boolean 
value of hasrole. 

So far, we have specified the WF level of the SO application. 
As anticipated above, we can define Tpm to contain T su b 
and a finite set of Datalog rules that declaratively formalize 
the access policy statements of the SO application. Since 
this way of formalizing policies has been well studied in the 
literature (see, e.g., iTPJl ). as a simple example, we only give 
the following Datalog rule 



Vi. can_access(i, Res) 



hasrole(Res, i, head), 



where the variable i is of sort Id and can_access e ~^pm- 
It says that the clerk i can access the shared resource Res 
if the latter knows (by retrieving the right entry in the table 
represented by hasrole) that i has the role of head. ■ 



Appendix C-A contains a generalization of the example 



above inspired by an industrial application. 

IV. Some verification problems for SO 

APPLICATIONS 

Let A = (x,p, L,Tr) be a two-level SO transition system 
with background theory Tsoa for an SO application; for 
brevity, we will sometimes refer to A simply as SO appli- 
cation. We define and investigate some verification problems 
for SO applications and give sufficient conditions for their 
decidability. In appendices C-B and C-C we then discuss 
pragmatical aspects of how to implement the decision proce- 
dures. 

A. Executability of SO applications 

Symbolic execution is a form of execution where many 
possible behaviors of a system are considered simultaneously. 
This is achieved by using symbolic variables to represent many 
possible states and executions. For each possible valuation of 
these variables, there is a concrete system state that is being 



indirectly simulated. This technique is particularly useful for 
the design of SO applications when usually several scenarios 
are identified as typical execution paths that the application 
should support. Given the high degree of non-determinism 
and the subtle interplay between the WF and the PM levels, 
it is often far from being obvious that the SO application 
just designed allows one or many of the chosen scenarios. 
A valuable contribution of the proposed framework is that 
symbolic execution of SO applications can be done by using 
existing techniques for automated deduction. 

In any scenario, there is only a known and finite number 
of principals. So, for the verification of the executability of 
two-level SO transition systems, we can assume that: 

Verification assumption 1: T su b D EDT(c, Id). ■ 
Since there are only finitely many principals, universal quan- 
tifiers in initial state formulae do not add to expressiveness as 
Vi. i(i,x,p) is logically Tscu-equivalent to a quantifier-free 
formula of the form f\ a L(icr,x,p), where a ranges over all 
possible grounding substitutions mapping the variables in i to 
the constants in c. Thus, we can further assume that: 

Verification assumption 2: Initial state formulae as well as 
any other state formula used to describe a state of a scenario 
are quantifier-free. ■ 

The key notion for symbolic execution in our framework is 
the following. Let p(p,x) and ip(p,x) two quantifier-free state 
^soa -formulae; and let r(p,x,p' ,x') £ Tr be a transition 
formula of the form Q. We write {ip} r {ip} (in analogy 
with Hoare triples) to abbreviate the following formula: 



Vx,x'.(p(p,x) At(p,x,p',x') -> ip(p',x'), 



(4) 



whose validity modulo Tsoa implies that the transition r 
leads A from a state satisfying tp to one satisfying ip. 

Definition 2: Let A = (x,p,t,Tr) be a two-level SO 
transition system with background theory Tsoa, let ti, ...,t„ 
be a sequence of transition formulae such that t s ; € Tr, and let 
(po; •••) fn be a sequence of quantifier- free state formulae. The 
(symbolic) execution problem consists of checking whether -tv 
leads A from a state satisfying ip^ to a state satisfying <Pi+i, 
or, equivalently, to checking 

Tsoa \= Wi} t {<p i+ i} 

for each i = 0, n — 1. ■ 
Property 1: Let tp and ijj be two quantifier-free state formu- 
lae and r be a transition. Then, it is possible to effectively com- 
pute a quantifier-free formula <fi that is logically equivalent to 
the negation of {tp} r {ip} and such that Tsoa \= {f} t {V'} 
iff <f> is TsoA-unsatisfiable. ■ 
That is, for quantifier-free ip and ip, the negation of 
{tp} t {ip} "is" still quantifier-free (e.g., the negation of 
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{i} GetRoleCertEmpl {(fix} in the case study in Ap- 
pendix [B]). 

If we are able to check the Tsoa -satisfiability of quantifier- 
free formulae, then we are also able to solve the symbolic 
execution problem for the two-level SO transition system with 
Tsoa as background theory. We now identify sufficient condi- 
tions on the component theories of Tsoa (i-e. T su i,,Twf, and 
Tpm) for the decidability of the TsoA-satisfiability problem. 

Lemma 1: Let T su b be an enumerated data-type theory, 
and Twf 3 T su b and Tpm 3 Tsub be consistent theories 
with decidable satisfiability problems. The Tgo^-satisfiability 
problem is decidable for Tsoa = Twf U Tpm- ■ 

Pragmatical aspects of how to implement the decision 
procedures are discussed in Appendix |C-B| extending the 
observations on the pragmatics of modeling WF and PM of 



SO applications of Appendix C-A 



We are now in the position to state the main result of this 
section, which follows from the properties and lemmas above. 

Theorem 1: Let T s „j, be an enumerated data-type theory, 
and Twf D T su {, and Tpm 3 T su t, be consistent theories with 
decidable satisfiability problems. Then, the symbolic execution 
problem for two-level SO transition systems with background 
theory Tsoa = Twf U Tpm is decidable. ■ 

Note that the use of an enumerated data-type theory as T su b 
does not imply that only two-level SO transition systems with 
finite state space can be verified by our method. In fact, both 
Twf and Tpm can have models with infinite cardinalities 
(this is the case, for example, of the theory MsgPass). So, 
symbolic execution is decidable even if the state space of the 
two-level SO transition systems is infinite provided that there 
exist decision procedures for the theories characterizing the 
WF and the PM levels and it is possible to find a common 
sub-theory, used for synchronization by the two levels, whose 
models are finite. 

B. Invariant verification of SO applications 

Recall that we fixed a two-level SO transition system A = 
(x,p, L,Tr) with background theory Tsoa- We now consider 
the problem of verifying that A satisfies a certain security 
property <j>, in symbols A |= <f>. Since many interesting security 
properties can be expressed as invariance properties (e.g., for 
the verification of security protocols or web services), which 
are a sub-class of safety properties, we assume below that 4> 
is a state formula of the form 



Vi : Id. ip(i,x,p). 



(5) 



Two remarks are in order. First, we are considering a sub- 
class of invariance properties since, in general, <p can be a 
past-formula (see, e.g., 0/7]). Second, we cannot assume that 
a finite and known number of principals is fixed so that ([5]) is 
equivalent to a quantifier-free formula and thus the verification 



techniques in Section IV-A still apply. Rather, we want to 
verify that for a fixed but unknown number of principals, A 
satisfies the invariance property 0, i.e. we want to solve a 



parameterized invariance verification problem. For this reason, 
in the rest of this section, we assume that: 

Verification assumption 3: T su i, is the theory of an equiva- 
lence relation. ■ 

In this way, we are able to distinguish between the identifiers 
of the various principals. Now, in order to show that formulae 
of the form |5]l are invariant of A, we can use the well-known 
INV rule of Manna and Pnueli 02): 

(h) T SO A h Vi.i(i) -> 

(h) Tsoa h ViV>(£) -> 

(h) Tsoa h M t M for each r € Tr 

A h □¥> 

The intuition underlying the correctness of the rule is the 
following. Assume there exists a formula ip of the form |5]) 
identifying a set of states that includes both the set of initial 
states (7i) and the set of states characterized by <p (I2), and, 
furthermore is an invariant of A (I2), i- e - each transition of 
Tt in Tr leads from a state satisfying rp to a state satisfying 
again Then, also tp is an invariant of A. 

Using the INV rule, assuming that the invariant ip has been 
guessed, it is possible to reduce the problem of verifying 
that a certain property is an invariant of the application, to 
several TsoA-satisfiability problems. In fact, reasoning by 
contradiction we have that and (I2) hold iff the quantifier- 
free formulae 

t(i,p, x) A —>ip{i,p,x) and ip(i,p,x) A^ip(i,p,x) 

are TsoA-unsatisfiable, respectively, where the variables in i 
are regarded as (Skolem) constants. Similarly, for a given r, 
holds iff the (universally) quantified formula 

Vi-i>U,P,x) A T(p,Sf,p',x') A -.VU.p'jS') 

is Tsoa -unsatisfiable, where x,x' and i are regarded again as 
(Skolem) constants, for each r e Tr. 

Property 2: Let ip (x,p) :— yi.ip(i,x,p) be a state for- 
mula and t(x,p,x' ,p') be a transition formula. Then, it 
is possible to effectively compute a formula of the form 
^4(i>£>p) A Vj. ip'zihX-iP) tn at is logically equivalent to the 
negation of {^ } t {ip } and such that T S oa (= {V'o} r {^0} 
iff il>[(i,x,p) AVj.ip' 2 {i,x,p) is T^o^-unsatisfiable. ■ 

To be able to check that A \= dtp, we need to solve the 
TsoA-satisfiability problem of (universally) quantified formu- 
lae. We now identify sufficient conditions on the background 
theory Tsoa for this problem to be decidable. 

Lemma 2: Let £ sn f, contain only (countably many) constant 
symbols (i.e. T su ^ is the theory of an equivalence relation), 
Twf 3 T su i, be a consistent and stably-infinite theory with 
decidable satisfiability problem such that the signature of no 
function symbol in £ wf is of the kind S± x • • • S n — > Id (for 
S{ E T,wf and i = 1, ...,n) and Tpm 3 T su t, be a consistent 
BSR theory. Then, the T^o^-satisfiability problem is decidable 
for formulae of the form 

Vi : Id. ip(i,x,p), 
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where TgoA = ?Vf U ?pm and a;, p are (finite) sequences 
of variables and predicate symbols (such that p n Ssoa = 0)> 
respectively. ■ 
As we have already said, there are many theories formaliz- 
ing data structures (such as MsgPass) relevant for modeling 
the WF of SO applications, which are stably infinite. Also, it is 
frequently the case that the data structures formalized by these 
theories use identifiers to create new pieces of information 
(typical examples are the certificates of the identities or the 
roles of principals) but do not create new identifiers. In this 
way, the requirement that functions in Twf do not create 
identifiers (syntactically, this is expressed by forbidding that 
the return type of the functions is not Id) is frequently 
satisfied. We point out that this requirement is a sufficient 
condition to avoid the creation of new identifiers and it 
may be weakened. However, we leave the study of more 
general sufficient conditions to future work. As before, 
pragmatical aspects of invariant verification of SO applications 



are discussed in Appendix C-C extending appendices C-A 
andlO¥1 

We conclude this section with the main technical result, 
which follows from the above properties and lemma. 

Theorem 2: Let H S ub contain only (countably many) con- 
stant symbols (i.e. T su f, is the theory of an equivalence 
relation), Twf 2 T 8U h be a consistent and stably-infinite 
theory with decidable satisfiability problem such that the 
signature of no function symbol in Ey^F is of the kind 
Si X • • • S n — * Id (for Si E ^wf and i = l,...,n), and 
Tpm 2 T S ub be a consistent BSR theory. Let A = (x,p, l, Tr) 
be a two-level SO transition system with background theory 
Tsoa = Twf U Tpm, and \/i.ip(i,x,p) be a state formula. 
It is decidable to check whether A |= Vi-<p(h%,p), pro- 
vided there exists a state formula Vi-il>(i,x,p) such that (a) 
Tsoa h Vi.tGO ^ #0. ( b ) t soa \= Vi.^© -» tp®, and 
(c) Tsoa \= M r {tp} for each r e Tr. ■ 

Indeed, the usefulness of the theorem depends on the avail- 
ability of the formula Vi. ?/>(£), which is called an inductive 
invariant since it is preserved under the application of the 
transitions of the two-level SO transition system. Since the 
problem of finding such a formula when p = is undecidable 
(see, e.g., [17|), it is also undecidable in our case. However, 
several heuristics have been proposed; see, e.g., ifTTI for a re- 
cent proposal and pointers to the literature. An interesting line 
of future work is to adapt these techniques to find invariants 
of SO applications. Note that it is possible to dispense with 
the computation of the auxiliary invariant whenever Vi. ip(i) 
is already inductive; in which case, conditions (a) and (b) of 
the theorem are trivially satisfied and we are only required to 
discharge proof obligation (c). 

V. Related work and conclusions 

We have presented a two-level formal framework that allows 
us to specify and verify the interplay of authorization policies 
and workflow in SO applications and architectures. In the 
previous sections, we already discussed relevant related works 
and also pointed out different research lines along which we 



are currently extending the techniques and results presented 
here. In particular, as we remarked, formal methods are being 
increasingly applied extensively to support the correct design 
of SO applications. These works range from extending the 
workflow with access control aspects (e.g., Q, 1T91 ) to, vice 
versa, embedding the workflow within the access control 
system (e.g., J6), £l4|, 1 16|, |23|), thus mainly focusing on one 
level at a time and abstracting away most or all of the possible 
interplay between the WF and PM levels. Other works (e.g. 
0. S, 0, ll20l ) have in contrast proposed approaches that 
attempt to model and analyze the interplay. We believe that our 
framework is abstract enough to encompass such approaches 
and we are currently investigating how they can be recast in 
our framework. In particular, we plan to use our framework to 
model Petri nets and access control policies as in Q so as to 
perform deductive-based model checking of security-sensitive 
business processes, and also to formally analyze properties of 
RBAC by adapting the framework of (4), Q. Finally, we also 
plan to extend the framework as we presented it in this paper, 
e.g. with interfaces more refined than the T su {, we considered 
here, so as to be able to perform modular reasoning in the 
assume-guarantee style. 
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Appendix A 
Proofs 

Proof of Property [7J We reason by contradiction and 
reduce validity to satisfiability. The validity (modulo Tsoa) 
of formulae of the form Q is equivalent to the Tsoa- 
unsatisfiability of the negation of Q, i.e. 

3x, a/. ip(p,x) A t(j>,x,p' ,x') A ->ip(p \x'), 

which, in turn, is equivalent to the Tsc^t-unsatisfiability of 

3x, x'. (p(p, x) A Eli, d. (G(i, d) A x' = f_(x, i) A 

Vz.p (z) «-> <fi(z,i)) A ->ip(p ,x ). 

After some simple logical manipulations, the problem re- 
duces to checking the Tsoa -unsatisfiability of the following 
quantifier-free formula 

(p(p, x) A G(i, d) A x[ — f(x, i) A 

Vz-p'(z) 4>(PyZ,i) A - , i/}(p',x'), 

where x,x' are considered as Skolem constants (or, equiva- 
lently, as implicitly existentially quantified variables). Now, to 
simplify our argument and make it easier to grasp, we use a 
little bit of higher-order logic and regard Vz. p'(z) «-> cj)(p, z, i) 
as p' = Xz. 4>(p,z,i). In this way, it is obvious that, after two 
simple substitutions, the last formula above becomes 

ip(p,x) AG(i,d) A ^(Xz.<p(p,z,i),l(x,i)), 

which is easily seen to be equisatisfiable to the previous one 
(intuitively, it is always possible to find an assignment for the 
variables in x[ when the last formula is satisfiable: just take the 
values of f(x,i); a similar observation holds for the predicate 
symbols in p'). Now, we are left with the problem of checking 
whether the last formula is quantifier- free. To see this, recall 
that tp is quantifier-free and this implies that every occurrence 
of a predicate symbol in p' is applied to a tuple of ground 
terms. Hence, the effect of substituting p' with Xz. <j>(p, z, i) is 
a tuple of quantifier-free formulae because of /3-reduction. Let 
ip(4>(p,i), f(x,i))) be the result of exhaustively performing 
such (3 -reductions; then, the formula 

(f(p,x) AG(i,d) A ^ip(<p(p,i)J(x,i)). 

is quantifier-free. This concludes the proof. ■ 
Proof of Lemma [7} We apply one of the results on non- 
disjoint combination of theories in [15], namely the following: 
if (i) T su b is a universal theory contained in both Twf and 
Tpm, (ii) T su t, admits a model completion T* (iii) every 
model of Twf and Tpm embeds into a model of Twf U T* ub 
and of T-wp U T* ub , respectively, and (iv) T su i, is effectively 
locally finite, then the (Twf U TpM)-satisfiability problem is 
decidable (by an extension of the Nelson-Oppen combination 
schema). Let us check each of the conditions (i)-(iv): 

(i) This is satisfied by assumption. 

(ii) By a well-known result in model-theory (see, e.g., |[T2l ). a 
theory T admitting elimination of quantifiers also admits 
a model completion T* and furthermore T — T* . It 
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is not difficult to check that T sub admits elimination 
of quantifiers (it is sufficient to note that 3x. <p(x) is 
T su b -equivalent to \J C (p(x/ci) for tp a quantifier-free 
formula and Cj's the constants denoting the elements of 
the domain of the enumerated data type). Hence, T sub 
admits a model completion and T* b = T sub . 

(iii) Since T* ub = T sub and, by assumption, Twf 2 T 3U t> and 
T PM 2 T sub , we have that T WF U T* ub = T WF U T sub = 
T WF and, similarly, T PM U T* ub = T PM U T sub = T PM - 
This implies that every model of Twf (respectively, 
Tpm) is a l so a model of Twf U I 1 *™;, (respectively, 
Twf U T* ub ), which implies that every model of TVf 
(respectively, T P m) can be embedded into a model of 
T W F^T* ub (respectively, T WF UT* ub ), just take identity 
as the embedding]^] 

(iv) Indeed, the signature of an enumerated data-type theory 
is finite and consists of a finite set of constants, say 
{ci,...,c„} for some n > 1. The constants ci,...,c n are 
the representatives since, for every term t, T sub \= t= Ci 
for some i0 

■ 

Proof of Property |2j Reason by refutation and expand 
the definition of the negation of {tpo}T{tpo}, so as to obtain 
the following formula: 

3x,x'.\/i. ip(i,p, x) A r(p, x,p',a/) A -iVi. tp(i,p', x'). 

This, in turn, is equivalent to 

3s,x',i.V|. ip(i,p,x) A t(p,x,j/,x') A ->^(j,p',z')- 

Then, by recalling the definition of r and performing the 
obvious substitutions (in a way similar to what we have done 
in the proof of Property [T] above), we obtain: 

/ Vi. P, a) A G(fc, d) A \ 
z' = f(x,k) A p' = \z.<j>(p,z,k)A 
T(p,x,\z.0(p,z,k)J(x,k))A 
V ^ti,^z.cj)(p,z,k)J(x,k)) J 

which, by exhaustively applying /3-reduction and considering 
existentially quantified variables as Skolem constants, is equiv- 
alent to 

Vi.ip(i,p,x) A G(k,d) A 

T(p,x,^p,z,k),l(x,k)) A ^i/j(i,^(p,z,k),f(x,k)), 

where r and ip are the result of /^-reducing the corresponding 
formulae. It is not difficult to see that the last formula is a 
conjunction of a universally quantified formula yi-i^(i,p,x) 

3 An embedding n between two E-stractures A4 = (M, I) and Af = 
(N, J) is a mapping from M to N such that M \= a iff Af |= a, for 
every S M -atom a. (In other words, an embedding between M and J\f is an 
isomorphism of A4 onto a sub-structure of Af.) We say that Ai is embeddable 
in AT if there exists an embedding between A4 and AT ■ 

4 A S-theory T is locally finite if S is finite and, for every set of constants 
a, there are finitely many ground terms ti,...,tj. , called representatives, 
such that for every ground S— -term n, we have T \= u = ti for some i. 
If the representatives are effectively computable from a and ti is computable 
from u, then T is effectively locally finite. 



3x,a/,j,k, d. 



with a quantifier-free formula r(p,x,(f>(p,z,k),f(x,k)) A 
->ip(j,(f>(p,z,k), f(x,k)) and that it cannot be simplified 
further or, in other words, that the universal quantifier on i 
cannot be removed. This concludes the proof. ■ 
Proof of Lemma |2j We claim that the quantifier-free 
formula 

f\<p{i(T, x,p) 

cr 

is Tgo^-equisatisfiable to the universally quantified formula 
above, where a ranges over all possible ground substitutions 
mapping the variables in i to a finite subset of constant sym- 
bols in £ su &. If the Tsoa -satisfiability problem is decidable 
(for quantifier-free) formulae, then the proof is complete. To 
this end, we use the same combination result in lfT31 as that 
for Lemma [T] i.e. if (i) T sub is a universal theory contained 
in both Twf and T P m, (ii) T sub admits a model completion 
T* b , (iii) every model of Twf and T P m embeds into a model 
of T W f U T* ub and of T WF U T* ub , respectively, and (iv) T sub 
is effectively locally finite, then the (Ty^ UTpM)-satisfiability 
problem is decidable (by an extension of the Nelson-Oppen 
combination schema). Let us check each of the conditions (i)- 
(iv): 

(i) T sub is the theory of an equivalence relation, which can 
be axiomatized by a finite set of universal sentences 
corresponding to reflexivity, symmetry, and transitivity. 
Hence, T sub is universal. 

(ii) It is well-known that the model-completion T* b of the 
theory of an equivalence relation is the theory of an 
infinite set (see, e.g., Ifl5ll ). 

(iii) It is possible to show that this is equivalent to stably 
infiniteness (again, see |15|) which is an assumption for 
Twf while it can be easily shown that any BSR theory 
is stably infinite (see, e.g., J22i|), hence T P m is also so. 

(iv) T sub is the theory of an equivalence relation with 
finitely many equivalence classes. So, although there 
are infinitely (more precisely, countably many) constant 
symbols of sort Id, there exists a finite subset C = 
{ci, c„} such that for any other constant symbol d of 
sort Id, we have T sub |= d = c, for some i e {1, ...,n}. 
This means that T sub is an effectively locally finite theory. 

Thus, we conclude that the T^oA-satisfiability problem for 
quantifier-free formulae is decidable. 

To conclude the proof, we are left with the problem of 
proving the claim above. To this end, first of all, recall that 
T su b is effectively locally finite. Then, observe that T P m is a 
BSR theory and hence £ P m has no function symbol of arity 
greater than 0. Furthermore, recall that, by assumption, all 
function symbols of arity greater than in £ wf are such that 
their return type is not Id. Thus, we have that T P m \= d = c, 
and Twf \= d = c i7 for every constant symbol of sort Id in 
T, sub and some 6 C. This is so because the reduct to T, sub 
of every Sp^-model of Tpm and SwF-model of Twf is a 
model of T sub . So, if the quantifier- free formula 



/\(fi(icr, x,p) 
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is Tso^-unsatisfiable, where a is a ground substitution map- 
ping the variables in i to the computable finite subset C of the 
constants in £ su & of sort Id, then the universally quantified 
formula 

Vi : Id. tp(i, x, p), 

is also unsatisfiable. For the converse, it is sufficient to recall 
that T su i, is a universal theory and that universal theories are 
closed under sub-structures, i.e. any sub-structure of a model 
of the theory is also a model. This implies that if the quantifier- 
free formula above is XsoA-satisfiable, then the universally 
quantified-formula is also so. ■ 

Appendix B 
A case study: Car Registration Office 

The techniques and results that we give in this paper are 
general and independent of particular concrete applications, 
but, to illustrate them concretely, it is useful to consider an 
example from industrial practice: we consider a simplified 
version of the car registration office case study described 
in 0, which can be intuitively summarized as follows. 

A citizen, called Charlie, submits a request to register his 
new car to an employee, called Ed, of the local car registration 
office CRO^\ Charlie's message contains all the documents to 
support his request and it is suitably signed. Upon reception 
of the request, Ed has appropriate support for checking the 
signature of the document and comparing it with the identity 
of the sender of the request: if the signature and the identity 
of the requester do not match, then the request is immediately 
refused and the sender is acknowledged of this fact; otherwise, 
Ed starts to consider the content of the request for the car 
registration. If, according to some criteria (that are abstracted 
away in the specification), the request is not suitably supported 
by the documents, then the request is refused and, again, the 
sender is acknowledged of this fact; otherwise, the request is 
accepted, the sender is acknowledged of acceptance and the 
request is marked as accepted, signed by Ed, and finally sent 
to the central repository CRep to be archived. 

This process is completely transparent to Charlie and, in 
order to be successfully completed, Ed should have the right to 
store documents in the CRep. This right can only be granted by 
the head of the CRO, a (special) employee called Helen. Upon 
reception of the request by Ed to store a processed request in 
its internal database, the CRep checks whether Ed has been 
granted the right to do so. If this is the case, the CRep stores 
the document; otherwise, it refuses to comply. 

Roles are assigned to employees (of the CRO) by circulating 
appropriate certificates; such as, e.g., "Ed is an employee" or 
"Helen is the head of the CRO." These certificates are emitted 
by a certification authority RegOffCA, that is recognized by 
the employees of the CRO and the CRep. Permission to store 
documents in the CRep are also distributed to employees by 
creating appropriate certificates; however, these certificates are 

5 We have abstracted away the mechanism assigning a citizen request to a 
certain employee of the car registration scenario. 



created by the head of the CRO (not by the certification 
authority). 

The CRep, before storing a processed request in its internal 
database, checks whether the employee has the right to do 
so. For this to be successfully executed, the following policy 
should be enforced: 

• an employee of the car registration office can store 
documents in the CRep, if the head of the car registration 
office permits it, 

and the following trust relationships should have been prelim- 
inarily established: 

• the RegOffCA is trusted by all employees, by the head of 
the car registration office, and the CRep for what concerns 
role certificates; and 

• the head of the car registration office is trusted by the 
CRep for action (e.g., storing documents) certificates. 

Finally, to be able to successfully execute the scenario with 
Charlie and Ed described above, the following certificates 
should be available in the system: 

• Ed is an employee of the car registration office (by a 
certificate emitted by RegOffCA), 

• Helen is the head of the car registration office (by a 
certificate emitted by RegOffCA), and 

• Helen permits Ed to store documents in the CRep (by a 
certificate emitted by Helen). 

Formalization 

Since only the exchange of messages drives the workflow 
of the system and the most interesting part of the case study 
concerns its policies, we adopt the MsgPass[Msg] theory 
described in Example [T] In the body of a message, documents 
(such as car registration requests or processed requests) can 
be embedded (embeddoc). Since both citizens and employees 
should be able to sign documents and the latter should also be 
able to check signatures, appropriate primitives are provided 
to generate signatures (sign), attaching them to documents 
(augdocwithsign), and checking that the signature attached 
to a document belongs to a certain principal (matchuser). 
An employee has also the primitive to attach a decision 
(accept or refuse) to a document containing a citizen 
request (augdocwithact). Finally, as role certificates should be 
distributed over the network, we provide an appropriate primi- 
tive (rolecert) to create these documents. (Role certificates are 
handled at the policy level only; see below for more details.) 
Now, we identify the theories involved: 

• ^sub 

£X>r({Charlie, Ed, Helen, CRep, RegOffCA}, Id) U 
EDT ({employee, he&d}, Role) U 
_EDT({storedoc, readdoc}, Action) 

• Twf — T su i, U MsgPass[Msg], the theory described in 
the Example [T] above, 

• Tpm = T su t U 

{Knowledgeooo, Say2knowQ 00 , Trustedknowledgeooo}, 
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a set of Horn rules defined below0 
As we have said above, the workflow of the system is almost 
state-less. There are however two exceptions. One is the 
database of the central repository which is modeled by the 
unary predicate dbdoc to which documents may only be added 
(and never deleted). The other is the unary predicate isok that 
allows us to abstract away the criteria according to which 
a citizen request is accepted or refused. This completes the 
description of the (static part of the) workflow. 

We now describe the policy level of the system. We adapted 
the DKAL |16| approach to specifying policies in our frame- 
work. To this end, DKAL provides predicates (knows and 
knowso) to represent the knowledge of the various agents 
and predicates (saysTo and saysTo ) for the communication 
between agents. 

It is important to observe the differences between the 
communication at the workflow and the policy levels of the 
system. The former (modeled via the MsgPass [Msg] theory) is 
state-full and thus modeled by an appropriate set of transitions 
(see below). The latter (modeled via saysTo or saysTo ) is 
state-less and thus modeled by suitable Horn clauses. Finally, 
DKAL proposes two functions (tdOn or tdOno) to track trust 
relationships between agents concerning certain facts. All this 
is formally captured in the following set of Horn clauses. 

First, we provide an (incomplete) characterization of 
the DKAL-like predicates expressing knowledge and 
communication for policies (this is adapted from lfT6ll . to 
which the interested reader is pointed to for details). 

Knowledge^: Internal knowledge is knowledge. 

knows(P, AnyThing) «— knowso(P, AnyThing) 

Say2knowooa- An agent knows whatever is said to him and 
he/she also knows whether the piece of knowledge being 
communicated is based on the internal knowledge of the 
speaker (say2knowo) or not (say2knowoo). 

knowso(P, saidO(Q, AnyThing)) <— saysTo (Q, AnyThing, P) 
knows(P, said(Q, AnyThing)) <— saysTo(Q, AnyThing, P) 

Trustedknowledgeooo'. An agent P knows a piece of infor- 
mation AnyThing whenever an agent P knows that another 
agent Q said the piece of information AnyThing and also 
that P knows that the agent Q is trusted on saying the piece 
of information AnyThing. 

knows(P, AnyThing) ^knows(P, tdOno(Q, AnyThing)) A 
knows(P, saido(Q, AnyThing)) 

knows(P, AnyThing) <— knows(P, tdOn(Q, AnyThing)) A 
knows(P, said(Q, AnyThing)) 

6 The class of Horn rules is an extension of that of Datalog rules whereby 
function symbols of arity greater than are allowed. 



Then, we consider the policies of each agent. The first three 
Horn clauses specify the communication of (role and action) 
certificates at the policy level. (Note that while the knowledge 
of an action certificate for Ed is explicitly given in the initial 
state above, the knowledge of the role certificates for Ed and 
Helen will be lifted from the existence of the corresponding 
messages in the network by appropriate transitions.) The last 
three Horn clauses are the formal counterparts of the trust 
relationships described above. 

(Simple) employee 

saysTo(Pmp/,said (RegOffCA, Cert),_) <— (Certl) 
knows(Pmpi, saido(RegOf f CA, Cert)) 

say sTo(Empl,sa\do( Head, Cert), _) <— (Cert2) 
knows(Pmpi, saido(P"ead, Cert)) 

In the Horn rules above, and also in some of the following 
ones, we use a Prolog-like notation where the symbol _ 
is employed as an abbreviation for a universally quantified 
variable that occurs only once in the rule. 

(Head) employee 

saysTo (Head, storedocCRep(Pmp/, _) +— 

knowso(-ffead, storedocCRep(Pmpi)) (GenCert) 

Central Repository 

knows(CentrRep, tdOn (RegOf f CA, _)) (CentrRepTrustCA) 

knows(CentrRep, tdOn(_, said (RegOf f CA, _))) 

(CentrRepTrustAnyoneViaCA) 

knows(CentrRep, tdOno(-ff ead, storedocCRep(PrapZ))) <— 
knows(CentrRep, said (RegOffCA, isRegOffHead(Pead))) A 
knows(CentrRep, said (RegOf f CA, isRegOffEmpl(Pmp/))) 

(CentrRepTrustAnyoneViaHead) 

Finally, in Fig. [3] we give the transitions modeling 
the dynamics of the system. The first two transitions 
(GetRoleCertEmpl, GetRoleCertHead), are part of the in- 
terface between the workflow and the policy levels of the 
system as they allow employees to convert the content of role 
certificates received from the network to (internal) knowledge, 
which is relevant for the application of policies (compare the 
right-hand sides of these rules with the hypotheses of the 
Horn clauses Certl and Cert2). The following two transitions 
specify the processing of a citizen request by an employee 
(Accept), and how the central repository handles the request 
of an employee to store a document in its internal database 
(Storedoc). This is (the remaining) part of the interface 
between the workflow and the policy level: the guard 
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knows(CentrRep, storedocCRep(_EmpZ)) 



is a query that is possibly solved by the Horn clauses above. 
Executability 

It is relatively easy to check that the scenario described 
above involving Ed and Helen can be executed by a suitable 
sequence of transitions and solving appropriate queries against 
the policies of the system. For instance, let us, for the sake 
of brevity, only analyze the first step, which requires the 
application of the transition GetRoleCertEmpl to lead the 
two-level SO transition system from the initial state to a state 
where the PM knowledge about the identity of Ed has been 
acquired. The initial state i is characterized by the following 
formula, 



net = 

ins(msg (Charlie, embeddoc(augdocwithsign(reg, 

sign(Charlie, req))), Ed), 
ins(msg(RegOf f CA, embeddoc(augdocwithsign(p B , 

sign(RegOffCA,p B ))),Ed), 
ins(msg(RegOf f CA, embeddoc(augdocwithsign(p// , 

sign(RegOffCA,p H ))),Ed),mty))) A 

f\ -ihasrole(pi,p 2 ,r') 

saying that principals knows nothing about their respective 
roles and the net contains three messages: one is the car regis- 
tration request of Charlie and the other two are the role certifi- 
cates of Ed (who is an employee) and Helen (who is the head 
of the car registration office), where pe and pn abbreviate 
the terms rolecert(Ed, employee) and rolecert(Helen, head), 
respectively, C = {RegOffCA, CRep, Ed, Charlie, Helen}, 
and R = {employee, head}. 

The transition GetRoleCertEmpl is formalized as in Fig. [3] 
The set of states to which the transition GetRoleCertEmpl 
should lead the two-level SO transition system must be so as 
to satisfy the following formula ip\\ 

knows(Ed, isRegOffEmpl(Ed)) 



saying that Ed has acquired the knowledge about its role at 
the PM level of the SO application. It is not difficult to show 
the Tso^-validity of {l} GetRoleCertEmpl {tpi}. In fact, 
the transition is enabled since the following formula (obtained 
by instantiating both i\ and i<x with the constant Ed and 
substituting the state variable net with the term at the right of 
the first equality in l): 



mem(msg(RegOf f CA, embeddoc 

(augdocwithsign(p£, sign (RegOffCA, pe))), Ed)), 
ins(msg(Charlie, embeddoc^ugdocwithsigr^reg, 

sign(Charlie, req))), Ed), 
ins(msg(RegOf f CA, embeddoc(augdocwithsign(p_B, 

sign(RegOffCA,p B ))),Ed), 
ins(msg(RegOf f CA, embeddoc(augdocwithsign(p_r/, 
sign(RegOffCA,p ff ))),Ed), 

mty)))) 

is Tscu-satisfiable. We are left with the problem of showing 
the Tsoa -unsatisfiability of the formula: 

^knows(Ed, isRegOffEmpl(Ed)) 

obtained by negating <pi . This can be easily done by observing 
that 

hasrole(Ed, Ed, employee) 

holds in the state where the transition GetRoleCertEmpl 
has lead the two-level SO transition system as the result of 
executing the PM update. Then, by instantiating the following 
Horn rule (in Tpm)' 

knows(ii, isRegOffErnpl^)) <— hasrole(ii, i%, employee) 

with ii and 12 substituted with Ed, it is possible 
to immediately detect unsatisfiability. In this way, we 
have proved the Tsoa -unsatisfiability of the formula 
->({t} GetRoleCertEmpl {<pi}) or, equivalently, the Tsoa- 
validity of {l} GetRoleCertEmpl {ipi}. ■ 

Invariant properties 

We consider the following interesting property about docu- 
ments stored in the central repository: 

Integrity: any processed request preq stored in the central 
repository must be consistent, i.e., it should be dou- 
ble signed (by the citizen cit submitting the request 
req and by the employee empl handling it) and 
stamped with the seal of acceptance. 
Such a property can be written as the following safety formula 
in the extended version of LTL introduced above: 

f Wpreq.dbdoc(preq) => 3cit, req, empl, preq 1 ,preq 2 . \ 

|-j / preq x = augdocwithsign(reg, sign(wser, req)) A \ 

I preq 2 = augdocwithdec(preg 1 , accept) A I 

1 y preq — augdocwithsign(preg 2 , sign(empl, preq 2 )) J , 

Showing that the SO application ensures integrity is non- 
trivial, as the central repository treats documents as black- 
boxes and trusts employees to check signatures and correctly 
prepare processed requests. Furthermore, it trusts the head of 
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GetRoleCertEmpl: 



/ mem(msg(RegOf f CA, ^[rolecert(i 1 , employee)], i 2 ), net) A net' — net A \ 

if (P2 — ii A pi = «2 A r = employee" 
^PiiP2- r.hasrole'(pi,p2; r ) then true 

else hasrole(pi,p2, r) 



where, [i is a term symbol of type Body that contains a sub-term of interest that represent a role certificate. 

GetRoleCertHead: 



Accept: 



Storedoc: 



3ii,z 2 . 



f mem(msg(RegDf f CA, /i[rolecert(ii , head)], 12), net) A net' — net A \ 

if (P2 = i\ A pi = i-2 A r = head) 
Vj?i,p2, r-.hasrole'(pi,p2, ?" ) <-* ( ^ erl ^ rite 

efee hasrole(pi,p2, r) 



3d, 



mem(msg(c, embeddoc(ci), i), net) A isok(d) A matchuser(<i, c) A 
net' = ins(msg(i, /i[augdocwithdec(<i, acceptdoc)], CentrRep), net) A 
Vpi,_P2,r , .hasrole'(pi,p2,0 <-> hasrole(pi,p 2 , r) 



mem(msg(i, /i[augmentdocwithact(d, storedoc)], CentrRep), net) A 
3i,cf. I dbdoc' = dbdoc(rf) A 

Vpi,P2,r.hasro\e'(pi,p2,r) <-* hasrole(pi,p 2 , r) 



Fig. 3. Transition formulae 



the central repository to judge the capability of employees to 
perform this job correctly. Ultimately, the central repository 
also trusts the certification authority to emit role certificates 
for both employees and the head of the car registration office. 
Besides these difficulties, the state formula inside the "always- 
in-the-future" operator is not of the kind supported by the 
decidability result of Lemma [2] because of the existential 
quantifier. As a consequence, more ingenuity is required by 
the specifier. We are currently working to derive a hand proof 
of this property. 

Appendix C 
Pragmatics 

A. Pragmatics of modeling WF and PM of SO applications 

We extend the technical results of Section [Til] with some 
observations on the pragmatics of modeling WF and PM of 
SO applications. In fact, pragmatically, the theories 2Vf and 
Tpm are obtained by extending the substrate theory T su b as 
follows. For the WF theory, consider a finite set Ax(WF) of 
universal EvKF-sentences where Hwf 2 ^aub> men 

T WF := {tp is a sentence | Ax{WF) \= ip} U T sub . 

The process of adding finitely many axioms to an available the- 
ory can be iterated several times to obtain the final WF theory. 
As an example, recall the theories Msg and MsgPass[Msg] 
of Examples [T] and [2] For the PM theory, along the lines of 
several other works in the PM literature (e.g., (18 |), regard a 
logic program P(PM) (formalizing policy statements) as a set 
of universal Horn Spm -clauses where Spm := ^sub U R for 



R a (finite) set of predicate symbols such that S su {, f)R = 
then 

T PM := {ip is a Horn clause | P{PM) \=ip}U T sub . 

Usually, the state predicates in P(PM) are intensional, i.e. 
occur in the head of the rules of P(PM). This is a sufficient 
condition to ensure that no transition may add a fact to the 
theory Tpm that gives rise to an inconsistency. 

In the (constraint) logic programming literature, T su b is 
usually introduced as a certain first-order structure (e.g., the 
integers). This is not compatible with the notion of theory 
adopted here (and in most logic textbooks) as we work with 
sets of sentences (axioms) rather than structures. However, 
given a structure M., it is possible to find a theory T admitting 
M. as a model. So, if we are able to verify that T \= (p, we 
also know that M. |= tp (while the converse, in general, may 
not hold). As a consequence, if we are able to reduce a certain 
verification problem for an SO application to showing that a 
formula follows from the background theory of the application 
and we succeed in doing this, we are entitled to conclude that 
the verification problem has a positive answer for any structure 
satisfying the axioms of the background theory. Indeed, we 
may obtain false negatives, as there may exist formulae that 
are true in a particular model of a theory T that are not logical 
consequences of T. An advantage of adopting this notion 
of theory is the possibility of re-using and adapting existing 
automated reasoning techniques (see below). 

7 For the sake of conciseness, E s „j, U R will be usually abbreviated with 
^sut w ' tn i m P nc it assumption that R is disjoint from S s „j. 
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B. Pragmatics of executability of SO applications 

Recall our remark on how the theories Twf and Tpm are 
formed by augmenting the theory T sub with a finite set of 
universal axioms (see end of Section |HI)>, i.e. 

Twf '■= {ip is a sentence | Ax(WF) (= ip} U T su t, and 
T PM := {ip is a Horn clause | P(PM) \= ip} U T sufc , 

where Aa;(VFF) is a (finite) set of universal sentences and 
P(PM) is a (finite) set of Horn clauses. It is not difficult to 
argue that both the Twf- and Tpm -satisfiability problems are 
decidable. The decidability of the former can be derived by 
the decidability of the MsgPass-satisfiability problem (shown 
in ifflX the decidability of the satisfiability problem of any 
enumerated data-type theory (since it admits elimination of 
quantifiers), and the combination results in |8 1. It is possible to 
use available SMT solvers (such as Yices, Z3, or MathSAT) to 
obtain a decision procedure for the Twf -satisfiability problem 
(almost) off-the-shelf; maybe using characteristic functions for 
sets and then using arrays of Booleans to formally represent 
such functions, see, e.g., ifTTI . The decidability of the Tpm- 
satisfiability is an immediate consequence of the (well-known) 
decidability of the satisfiability problem for BSR theories. 
Since T su j, is an enumerated data-type theory, the hypotheses 
of Lemma [T] are satisfied and we are entitled to conclude 
the decidability of the TsoA-satisfiability problem. Again, 
it is possible to use available SMT solvers, such as Z3, to 
have direct support for the class of BSR theories and hence 
to implement a decision procedure for the Tpm -satisfiability 
problem. 

We are then left with the problem of modularly reusing the 
decision procedures for the satisfiability problem in the com- 
ponent theories to obtain a decision procedure for the T$oa- 
satisfiability problem. When T su b is an enumerated data-type 
theory, as it is the case of Lemma [T] it is possible to use the 
non-deterministic version of the combination algorithm in |fT5ll 
to implement a decision procedure for the Tsoa -satisfiability 
problem. To understand this, let us briefly summarize an adap- 
tation of the non-deterministic combination schema of |15|. 
To this end, let w.l.o.g. T be a conjunction of Sso^-literalsj^] 
First of all, we transform T into an equisatisfiable conjunction 
Twf A Tpm by naming sub-terms by means of additional 
constants a: this process is usually called purification and it 
can be implemented in polynomial time. As there are only 
finitely many constants ci, ...,c„ in the enumerated data-type 
theory T sub , we non-deterministically guess an arrangement 
A, i.e. a conjunction of literals such that, for each a € a, 
either a = Ci or a ^ Ci, for each Cj is in S sn b. Then, 
we check whether both Twf U A is TVF-satisfiable and 
T pm U A is TpM-satisfiable. If, for some arrangement, both 
tests are successful, then we conclude the Tgo^-satisfiability 

8 Given a quantifier-free SgoA-f° rmula . it is always possible to transform 
this into disjunctive normal form, i.e. into a disjunction of conjunctions of 
literals. Hence, being able to check the satisfiability of conjunctions of literals 
is sufficient to check the satisfiability of quantifier-free formulae. Although, 
this is not efficient (as the transformation to disjunctive normal form may 
yield an exponentially large formula), it is sufficient theoretically. 



function TsoA~sat((p : quantifier-free ^soa -formula) 

1 0,a)< purifyO) 

2 A < — AtomsO) U IE(a, c) 

3 while Bool-sat(0) do 

4 T wf A r pm A A sll 6 < — pick_total_assign(^4, </>) 

5 (pwf, K W p) < — T WF -sat(T WF A A sub ) 

6 {ppm^wf) < — Tp M -sat(TpM A A sub ) 

7 if (pwf = sat A ppm = sat) then return sat 

8 if pwf = unsat then <fi < — <f> A -^ttwf 

9 if ppm = unsat then 4> < — cf> A -^ttpm 

10 end while 

11 return unsat 

12 end function 

Fig. 4. An SMT-based decision procedure for Tg qa -satisfiability 



of Tpm U Twf (and hence of T); otherwise, if, for all 
arrangements, the tests are negative, then we are entitled to 
conclude the Tso^-unsatisfiability of Tpm UTwf (and hence 
of T). Since the number of arrangements is finite (one can 
only generate finitely many distinct equalities or disequalities 
between two finite sets of constant symbols, namely a and 
ci,...,c„), the method terminates and thus yields a decision 
procedure for Tsoa- 

There are two problems with the combination algorithm 
sketched above. First, it requires to transform quantifier-free 
formulae into disjunctive normal form. This is unacceptable 
for many practical problems. Second, the algorithm is non- 
deterministic and we must refine it to obtain an implementa- 
tion. To circumvent both of these problems, we sketch in Fig. [4] 
an algorithm that can be easily implemented on top of (most) 
SMT solvers and is inspired by the delayed theory combination 
method of iflOl . The algorithm in Fig. [4] is an abstraction of 
the so-called lazy SMT solvers. Before entering the main loop, 
the input quantifier-free formula <p is purified into the formula 
<fi; the function purify also returns the set a of constants used 
for purification. Then, the set A of atoms is formed: it is the 
union of the atoms occurring in the purified formula cf) and all 
possible equalities between the constants in a and the constants 
in c (coming the underlying enumerated data- type theory T su f,) 
as computed by the function IE. The idea underlying the main 
loop of the algorithm is the following. A theory solver for T 
is any procedure capable of establishing whether any given 
finite conjunction of S-literals is T-satisfiable or not. The lazy 
approach to build SMT solvers consists of integrating a DPLL 
Boolean enumerator with a theory solver (see, e.g., (21 J for 
details). Given a quantifier-free formula <f>, one checks if it 
satisfiable by considering its atoms as Boolean variables (cf. 
Bool-sat at line 3). If it is not the case, then we exit the 
main loop and return unsatisfiability of the input quantifier- 
free formula (cf. line 11). Otherwise, we enter the main loop 
and we consider a satisfying Boolean assignment, i.e. a set 
of literals that makes <\> true when atoms are considered as 
Boolean variables (cf. pick_total_assign, line 4). Note 
that a Boolean assignment consists not only of the atoms in 
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<f> (cf. Atoms at line 2) but also of all possible equalities 
between the constants in a and the constants in c (cf. IE 
at line 2). In this way, we are guaranteed to consider all 
possible arrangements as defined by the non-deterministic 
algorithm sketched above. Then, we check — separately — the 
^-satisfiability of the conjunction of E^-literals I\j AA 5U & (cf. 
lines 5 and 6): the Tj-sat procedure besides returning sat 
or unsat also returns a conjunction TTi (called the conflict set) 
of Ej -literals, all of which also occur in T; A A su (,, which 
is Tj-unsatisfiable (for i e {WF,PM}). If both satisfiability 
checks are positive, then we return the satisfiability of the 
input quantifier-free formula (cf. line 7). Otherwise, i.e. if 
at least one of the satisfiability checks returned unsat, the 
negation of m, called a conflict clause, is added to <f> (cf. line 
8 or 9) so as to reduce the number of Boolean assignments 
that are to be considered in the main loop. This is one of 
the key ingredients (among many others, see, e.g., l2T l. for 
more details) of the success of current state-of-the-art SMT 
solvers and it avoids the burden of transforming quantifier-free 
formulae to disjunctive normal form, although the problem 
indeed is NP-hard. 

The correctness of the algorithm in Fig. [4] is an immediate 
corollary of Lemma [T] above. 

Property 3: Let T su b be an enumerated data-type theory, 
and Twf 2 T 3U b and Tpm 3 T su b be consistent theories 
with Ty/p- sat and Tpm~ sat as decision procedures for 
their corresponding satisfiability problems. Then, the function 
TsoA~ sat (depicted in Fig. [4} is a decision procedure for 
the Tsoa -satisfiability problem. 

C. Pragmatics of invariant verification of SO applications 

Here the basis to implement an algorithm for the Tsoa- 
satisfiability check of quantifier-free formulae is almost the 
same as the function depicted in Fig. [4] The main difference 
is in the definition of arrangement. In fact, we say that A su b is 
an arrangement for the theory T su b of an equivalence relation 
over the set a of finite constants of sort Id if, for every pair 
[d, d!) for d, d! <G a, either c = d 6 A SU {, or c ^ c' £ A su t>. 
To implement this definition of arrangement, it is sufficient to 
replace line 2 of the function in Fig.|4]with the following one: 

2' A < AtomsO) U IE(a, a). 

Let T^o^-qf sat be the new function so obtained; its correct- 
ness is a corollary of Lemma [2] above. Furthermore, following 
the proof of Lemma [2] it is sufficient to generate finitely many 
instances of a universally quantified formula of the form 

\fi: Id. tp(i, x,p) 

to obtain a decision procedure for such a class of formulae. In- 
deed, the challenge here is to efficiently integrate the function 
TsoA-qf sat and an instantiation strategy for the universally 
quantified variables in i. This requires some heuristics to filter 
out instances that are unlikely to contribute to detecting the 
unsatisfiability of the formula. To understand why heuristics 
are needed, consider that the number of the possible ground 
substitutions a is n k where n is the length of a and k is 



the length of i. Another key ingredient to scale up is to 
invoke T^o^-qf sat incrementally so as to add one by one 
the instances of <p. Since tuning these heuristics and making 
them work smoothly together require extensive experimental 
evaluation, we leave the details for future work. 
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